Improve company productivity with a Business Account.Sign Up

x
?
Solved

domain time not syncing

Posted on 2013-05-23
4
Medium Priority
?
688 Views
Last Modified: 2013-05-27
i have a single domain with 3 sites.  everything is working fine except that at site 2 the time on the local domain controller will not sync with the PDC at site 1.

each site has it's own domain controller. site 1 is connected to site 2 via private line.  site 1 is connected to site 3 via VPN at our firewalls.  site 2 and 3 cannot communicate directly.

users on the domain at site 2 are pulling incorrect time from the DC at site 2.  on the DC at site 2 a w32tm /monitor recognizes a time mismatch between it and the PDC at site 1, but a resync does not fix the issue.

i went ahead and added the PDC at site 1 as a manually added peer, but resyncing still does not fix the issue...

to temporarily fix the issue i did a net time \\DC@site1 /set.  i've had to do this twice within the last 3 months.  any ideas why the DC at site 2 is not pulling time correctly?  i've checked and UDP traffic on port 123 is allowed across our private link, so its not a traffic/routing/networking issue.

many thanks in advance.
0
Comment
Question by:j_haff
  • 2
4 Comments
 
LVL 18

Accepted Solution

by:
Chris earned 2000 total points
ID: 39193558
you need to set up windows time settings to sort this out so that resync happens automatically

you can use WMI filtering to automatically move the Time settings around

http://blogs.technet.com/b/askds/archive/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering.aspx

then add the additional settings to control how often it syncs and where from

On the PDC add these settings to the policy (where GPS External is a dns record pointing at an external time source, this could also be pool.ntp.org or something similar)

System/Windows Time Service/Time Providershide
Policy Setting Comment
Configure Windows NTP Client Enabled  
NtpServer GPSEXTERNAL,0x1
Type NTP
CrossSiteSyncFlags 2
ResolvePeerBackoffMinutes 15
ResolvePeerBackoffMaxTimes 7
SpecialPollInterval 900
EventLogFlags 3


 on the default DC policy
System/Windows Time Service/Time Providershide
Policy Setting Comment
Configure Windows NTP Client Enabled  
NtpServer time.windows.com,0x9
Type NT5DS
CrossSiteSyncFlags 2
ResolvePeerBackoffMinutes 15
ResolvePeerBackoffMaxTimes 7
SpecialPollInterval 3600
EventLogFlags 1
 

i use the following in both to control the correction

System/Windows Time Servicehide
Policy Setting Comment
Global Configuration Settings Enabled  
Clock Discipline Parameters
FrequencyCorrectRate 4
HoldPeriod 5
LargePhaseOffset 50000000
MaxAllowedPhaseOffset 300
MaxNegPhaseCorrection 172800
MaxPosPhaseCorrection 172800
PhaseCorrectRate 7
PollAdjustFactor 5
SpikeWatchPeriod 900
UpdateInterval 100
General Parameters
AnnounceFlags 10
EventLogFlags 2
LocalClockDispersion 10
MaxPollInterval 10
MinPollInterval 6
ChainEntryTimeout 16
ChainMaxEntries 128
ChainMaxHostEntries 4
ChainDisable 0
ChainLoggingRate 30
0
 
LVL 18

Expert Comment

by:Chris
ID: 39193560
to run through the checking you can do some of the following

setup debugging on window time

http://support.microsoft.com/kb/816043

this will create log files and you can tell if its pulling the time from the right place

w32tm /query /status to see what its doing

then
w32tm /monitor /computers:dc2.domain.com,DC01.domain.com (It will show the offset by comparing with your PDC)

or with a nice easy display

w32tm /stripchart /computer:<remote computer>
0
 

Expert Comment

by:userPrincipalName
ID: 39195071
It should be pointed out the Announce Flags on your PDCe should be set to 5.  All other DCs should be set to 10.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 39197917
Also, how far out of time are they?

MaxAllowedPhaseOffset 300

This means they will not synch unless they are +/- 5 minutes out of synchronization.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
You have missed a phone call. The number looks like it belongs to the bunch of numbers which your company uses. How to find out who has just called you?
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question